The UK's National Cyber Security Centre (NCSC) has once again sounded its concern over the rising threat level to the nation's critical national infrastructure (CNI).

In its annual review published at midnight Monday, it admitted that the level of cybersecurity resilience in the UK's most critical areas isn't where it needs to be, but is trying to "keep pace" and continue working toward greater security, despite mounting problems looming on the horizon.

"The threat is evolving. While we are making progress building resilience in our most critical sectors, we aren't where we need to be," the report states. 

"We will continue to work with partners across government, industry, and regulators to accelerate this work and keep pace with the changing threat, including tracking their resilience in line with targets set out by the Deputy Prime Minister."

Nation states and state-aligned actors - particularly those aligned to Russia, China, Iran, and North Korea - were cited as key threats to the UK's security and interests. Also contributing to the cyber-threat level to UK CNI is the ongoing conflict in Ukraine sparked by Russia's miserable invasion, and a general increase in aggressive cyber-activity.

The latest warning to CNI operators of what the NCSC said is an enduring and significant threat comes after a year of serious assaults on critical services in the UK.

Royal Mail International was the target of a serious attack by the LockBit group in January, and this was after a raid on software supplier Advanced forced the NHS to revert to pen and paper once again.

Away from the UK, major attacks on CNI have also been carried out in other territories, such as with Ireland's Health Executive Service and America's Colonial Pipeline fiasco, not to mention the myriad destructive attacks in Ukraine.

The Danish cybersecurity agency for CNI also published a detailed account of the biggest-ever attack faced by the organizations under its remit on Monday. The two-week onslaught of more than 20 CNI targets showed how quickly vulnerabilities can be exploited to cause widespread disruption.

The UK and its intelligence partners have also sought to bring attention to the cyber threat faced by allied CNI over the past year, including alerts covering Russia's cyber-espionage-enabling Snake malware and China's attacks on US organizations.

"This kind of latent threat activity cannot be discounted and it demonstrates the interest that state-sponsored actors have not only in compromising CNI networks but persisting there too," the annual review by the British read.

In the context of China, the phrase "epoch-defining" was once again rolled out, the same phrasing the UK government has been using to describe the Middle Kingdom technological capability for a while now. Fears of China growing as a technological superpower are real in government, as was expressed by NCSC CEO Lindy Cameron at CYBERUK 2023 earlier this year.

"China is not only pushing for parity with Western countries, it is aiming for technical supremacy," she said. "It will use its tech strength as a lever to achieve a dominant role in global affairs. What does this mean for cybersecurity? Bluntly we cannot afford not to keep pace otherwise we risk China becoming the predominant power in cyberspace.

"Some may dismiss this as far-fetched or scaremongering, but it is a risk I would urge you to take seriously. This is simply not something about which any of us can be complacent."

Away from nation states themselves, the NCSC also pointed to the rise of state-aligned actors - its preferred phrasing for what others might call hacktivists - and how these have expressed a willingness to cause destruction rather than the typical defacement of websites or short-lived DDoS attacks.

"Without external assistance, we consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term," the NCSC said. But these crews may become more effective over time, the center warned in its report. 

"While we don't believe, right now, that anyone has both the intent and capability to significantly disrupt infrastructure within the UK, we know that we can't rely on that situation persisting indefinitely," it stated.

Addressing the imbalance of priorities

Because CNI operators in the UK are spread across both the private and public sectors, some have commercial pressures placed on them in addition to those brought by cyber attackers.

Those in the private sector are beholden to shareholders and can sometimes make cybersecurity decisions that don't align with the goals of the government or the NCSC. They may have to prioritize profits and shareholder value rather than spending on cybersecurity resilience.

Even in the public sector where such commercial pressures aren't at play, the NCSC said delivery of critical services can also come at the expense of cyber resilience.

It's something that we need to do together

Due to the nature of the threat to CNI, the NCSC and UK government are working together to ensure an adequate level of resilience is mandated across all CNI sectors. By 2025, CNI organizations will have resilience targets to meet, with the idea that every operator can protect against the most prevalent threats.

As well as calling for a better baseline of security across the industry, the NCSC said it plans to continue forming international relationships to ensure attack data and learnings are shared to build resilience based on experience. 

"Working to limit the impact of cyber attacks against the UK's CNI, especially those conducted by nation states, is challenging but achievable. It's something that we need to do together."

Microsoft echoed the importance of information sharing in its Digital Defense Report this year, saying "it is of paramount importance to share security signals and threat intelligence across government and critical infrastructure organizations within a country to ensure resilience."

It also praised the various measures taken by regions throughout the past year to raise cybersecurity standards for CNI. 

The United States' TSA, for example, raised cybersecurity requirements for organizations in the transport sector and Uncle Sam's CISA made its first steps toward developing its cyber incident reporting regulations for the Critical Infrastructure Act of 2022.

The EU also rolled out NIS2, CER, and DORA - all three of which are expected to significantly raise cyber resilience in the CNI space - while Japan and Mexico have also both introduced new policies for regulating the cybersecurity of CNI operators. ®

https://www.theregister.com//2023/11/14/ncsc_cyber_readiness/